Back to skill

Security audit

Error Decoder / 错误解码器

Security checks across malware telemetry and agentic risk

Overview

This skill is low risk as packaged, but it is mostly generic marketing content rather than a useful error-decoding workflow.

Install only if you are comfortable with a very lightweight, marketing-heavy skill. It does not appear dangerous, but it also does not provide a well-defined troubleshooting workflow, and the unused curl requirement should be treated as unnecessary unless clarified by the publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill claims to be an error-decoding tool, but a substantial portion of the file is unrelated promotional and affiliate content. This creates a trust and supply-chain integrity problem: users may invoke or distribute the skill expecting debugging functionality while receiving marketing material, and such mismatch can be used to conceal more harmful content in the future.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill does not clearly define when it should activate, what inputs it expects, or what boundaries apply to its behavior. Overly broad scope increases the chance of unintended invocation, prompt collision with other skills, and misuse on sensitive log or stack-trace data without clear constraints.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.